-
Notifications
You must be signed in to change notification settings - Fork 19
/
activity_dump.proto
277 lines (223 loc) · 5.68 KB
/
activity_dump.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
syntax = "proto3";
option go_package = "github.com/DataDog/agent-payload/v5/cws/dumpsv1";
option java_multiple_files = false;
option java_package = "com.dd.cws.adv1.pb";
option java_outer_classname = "SecDumpProto";
package datadog.cws.dumpsv1;
message SecDump {
string host = 1;
string service = 2;
string source = 3;
Metadata metadata = 4;
repeated string tags = 5;
repeated ProcessActivityNode tree = 6;
}
message Metadata {
string agent_version = 1;
string agent_commit = 2;
string kernel_version = 3;
string linux_distribution = 4;
string arch = 13;
string name = 5;
string protobuf_version = 6;
bool differentiate_args = 7;
string comm = 8;
string container_id = 9;
uint64 start = 10;
uint64 end = 11;
uint64 size = 12;
string serialization = 14;
}
message ProfileSelector {
string image_name = 1;
string image_tag = 2;
}
message ProfileContext {
uint64 first_seen = 1;
uint64 last_seen = 2;
map<uint32, event_type_state> event_type_state = 3;
repeated uint32 syscalls = 4;
repeated string tags = 5;
}
message SecurityProfile {
uint32 status = 1 [deprecated = true];
string version = 2 [deprecated = true];
Metadata metadata = 3;
repeated string tags = 4 [deprecated = true];
repeated uint32 syscalls = 5 [deprecated = true];
repeated ProcessActivityNode tree = 6;
map<string, ProfileContext> profile_contexts = 7;
ProfileSelector selector = 8;
}
message ProcessActivityNode {
ProcessInfo process = 1;
reserved 2;
GenerationType generation_type = 8;
repeated MatchedRule matched_rules = 9;
repeated ProcessActivityNode children = 3;
repeated FileActivityNode files = 4;
repeated DNSNode dns_names = 5;
repeated SocketNode sockets = 6;
repeated uint32 syscalls = 7;
repeated string image_tags = 10;
repeated IMDSNode imds_events = 11;
}
message ProcessInfo {
uint32 pid = 1;
uint32 tid = 2;
uint32 ppid = 3;
uint32 cookie = 4 [deprecated = true];
bool is_thread = 5;
FileInfo file = 6;
string container_id = 7;
uint64 span_id = 8 [deprecated = true];
uint64 trace_id = 9 [deprecated = true];
string tty = 10;
string comm = 11;
uint64 fork_time = 12;
uint64 exit_time = 13;
uint64 exec_time = 14;
Credentials credentials = 15;
repeated string args = 16;
string argv0 = 17;
bool args_truncated = 18;
repeated string envs = 19;
bool envs_truncated = 20;
bool is_exec_child = 21;
uint64 cookie64 = 22;
}
message FileActivityNode {
repeated MatchedRule matched_rules = 9;
repeated string image_tags = 10;
string name = 1;
bool is_pattern = 7;
FileInfo file = 2;
reserved 3;
GenerationType generation_type = 8;
uint64 first_seen = 4;
OpenNode open = 5;
repeated FileActivityNode children = 6;
}
message OpenNode {
sint64 retval = 1;
uint32 flags = 2;
uint32 mode = 3;
}
message DNSNode {
repeated MatchedRule matched_rules = 2;
repeated string image_tags = 3;
repeated DNSInfo requests = 1;
}
message DNSInfo {
string name = 1;
uint32 type = 2;
uint32 class = 3;
uint32 size = 4;
uint32 count = 5;
}
message IMDSNode {
repeated MatchedRule matched_rules = 1;
repeated string image_tags = 2;
IMDSEvent event = 3;
}
message IMDSEvent {
string type = 1;
string cloud_provider = 2;
string url = 3;
string host = 4;
string user_agent = 5;
string server = 6;
AWSIMDSEvent aws = 7;
}
message AWSIMDSEvent {
bool is_imds_v2 = 1;
AWSSecurityCredentials security_credentials = 2;
}
message AWSSecurityCredentials {
string code = 1;
string type = 2;
string access_key_id = 3;
string last_updated = 4;
string expiration_raw = 5;
}
message FileInfo {
uint32 uid = 1;
string user = 2;
uint32 gid = 3;
string group = 4;
uint32 mode = 5; // TODO: check conversion with uint16
uint64 ctime = 6;
uint64 mtime = 7;
uint32 mount_id = 8;
uint64 inode = 9;
bool in_upper_layer = 10;
string path = 11;
string basename = 12;
string filesystem = 13;
string package_name = 14;
string package_version = 15;
string package_srcversion = 16;
repeated string hashes = 17;
HashState hash_state = 18;
}
enum HashState {
NO_HASH = 0;
DONE = 1;
FILE_NOT_FOUND = 2;
PATHNAME_RESOLUTION_ERROR = 3;
FILE_TOO_BIG = 4;
EVENT_TYPE_NOT_CONFIGURED = 5;
HASH_WAS_RATE_LIMITED = 6;
UNKNOWN_HASH_ERROR = 7;
}
message Credentials {
uint32 uid = 1;
uint32 gid = 2;
string user = 3;
string group = 4;
uint32 effective_uid = 5;
uint32 effective_gid = 6;
string effective_user = 7;
string effective_group = 8;
uint32 fs_uid = 9;
uint32 fs_gid = 10;
string fs_user = 11;
string fs_group = 12;
uint64 cap_effective = 13;
uint64 cap_permitted = 14;
}
message SocketNode {
string family = 1;
repeated BindNode bind = 2;
}
message BindNode {
repeated MatchedRule matched_rules = 3;
repeated string image_tags = 4;
uint32 port = 1;
string ip = 2;
uint32 protocol = 5;
}
enum GenerationType {
UNKNOWN = 0;
RUNTIME = 1;
SNAPSHOT = 2;
}
message MatchedRule {
string rule_id = 1;
string rule_version = 2;
string policy_name = 3;
string policy_version = 4;
map<string, string> rule_tags = 5;
}
enum event_profile_state {
NO_PROFILE = 0;
PROFILE_AT_MAX_SIZE = 1;
UNSTABLE_PROFILE = 2;
STABLE_PROFILE = 3;
AUTO_LEARNING = 4;
WORKLOAD_WARMUP = 5;
}
message event_type_state {
uint64 last_anomaly_nano = 1;
event_profile_state event_profile_state = 2;
}